Controls/EDCA-SEC-003.json
|
{
"id": "EDCA-SEC-003", "title": "AD Domain functional level compatible with Exchange", "description": "Exchange Server requires minimum AD Domain functional level based on installed version:\n• Exchange 2016: Windows Server 2008 R2 (level 4)\n• Exchange 2019: Windows Server 2012 R2 (level 6)\n• Exchange SE: Windows Server 2016 (level 7)\n\nRunning Exchange in a domain with an insufficient functional level is unsupported.", "verify": false, "subject": "Organization", "category": "Platform Security", "severity": "High", "severityWeight": 8, "frameworks": [ "Best Practice" ], "references": [ { "name": "Exchange Server system requirements", "url": "https://learn.microsoft.com/exchange/plan-and-deploy/system-requirements" } ], "remediation": { "automatable": false, "description": "Raise the AD Domain functional level to the minimum required for the installed Exchange version. All domain controllers in the domain must be running the corresponding Windows Server version before raising the domain functional level.", "scriptTemplate": "# Check current domain functional level and raise if required:\n# Set-ADDomainMode -Identity <DomainFQDN> -DomainMode Windows2012R2Domain" }, "considerations": "Raising the AD domain functional level is irreversible without a full forest recovery. Ensure all domain controllers in the domain are running the required Windows Server version before raising the functional level. Test in a non-production environment first. Coordinate with the Active Directory team, as the change affects all services in the domain — not only Exchange.", "roles": [ "Mailbox" ] } |